The GDPR and Application Protection

The General Data Protection Regulation (GDPR) is a European regulation intended to strengthen and unify data protection for all individuals within the EU, but it also addresses the export of personal data outside the EU.
The regulation comes into effect in May of 2018 and organizations worldwide are working to ensure their security policies and procedures comply with the new legislation.

Development and DevOps may be overlooked but they are not exempt.

Because data is created, accessed, and changed through applications, protecting your applications is a key component to protecting your data.
Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them.

Why is the GDPR getting so much attention?

Increased penalties ratchets up per incident costs. The higher the cost, the higher the per incident risk.

New organizational obligations with a global reach means more companies have more ways to fail.

The “state of the art” GDPR compliance standard differs substantially from the more common “reasonable” standard. Industry norms have been replaced by computing best practices as the reference standard.

Other than security-centered businesses, no organization can expect to be prepared to neutralize hackers looking to carve out their piece of the $1Trillion cybercrime market.

GDPR and Development: Processor liability and risk

For the first time, Data Processors (those who process, publish, transport and store private data) have regulatory and statutory obligations. Prior to the GDPR, security and notification obligations (and the fines and other penalties that can follow) only applied to Data Controllers (those who own the data and set processing policy).

Processor Obligations

The GDPR mandates that processing systems account for:

“State-of-the-art” hacking techniques and their corresponding countermeasures – not at the time of a system deployment – but continuously. There is no reasonable way to hit this standard without an ongoing investment to track cyber threat and countermeasure developments,

The cost of safeguarding implementations (time, money, other risks), as well as

The relative likelihood and severity of any given class of data breach occurrence.

Balancing current risk with the cost and side effects of that risk is consistent with well-understood risk management practices. For a discussion of these basic risk concepts in the context of application development, see The Six Degrees of Application Risk.

Development and DevOps Are Not Exempt

“Would a Data Processor be liable under The GDPR if the Processor develops software that is shown to have included avoidable vulnerabilities that subsequently led to a data breach?”

On September 22, 2017, in an official response, The European Direct Contact Centre replied (in part) as follows:

“The GDPR requires that the controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures” – including “the requirements stemming from data protection by design and by default and those on (application) security.”

Put more succinctly, the EDCC responded YES. Data Processor Development and DevOps organizations are not exempt from GDPR obligations.